You’re only a few steps away from deploying Alkemist:Code into your Yocto environment!
RunSafe Security’s Alkemist:Code for Yocto reduces attack surfaces and costs associated with frequent security updates and releases of IOT and embedded systems. Without changing a line of code – or slowing down product releases – you and your development teams can immunize your software by simply adding a layer into your Yocto build environment’s bblayers.conf file. The contents for that layer are accessible, for each Yocto release version (ARM and x86), via RunSafe’s Alkemist’s Self Service Portal (SSP).
What is Yocto?
The Yocto project is a game-changing developer environment that streamlines the creation of custom embedded linux distributions for any hardware architecture. Yocto uses “layers” and “recipes” to provide easy configuration management and a reliable and reproducible build process. This toolchain has opened the door to inserting security easily into the build process, reducing operational burdens downstream while increasing protection from cyberattacks for software built with Yocto.
What are the Benefits of Using Alkemist to Secure Embedded Linux Distributions?
- Implement a consistent security experience across every package in Yocto when you build with Alkemist, reducing support costs
- Inoculate software without slowing down software developers
- Give yourself additional time to push software updates to fielded, hard to reach systems
For Product Managers
- Dramatically reduce attack surface without slowing down developers increase the supply chain integrity of open source components
- Reduce overall support costs resulting from patch madness and security incidents
- Differentiate product offering by immunizing code from known and unknown vulnerabilities
Secure Yocto in Seven Easy Steps
- Select A Yocto Distribution
- Clone Repos: The RunSafe maintained meta-lfr layer contains all of the necessary configuration files to integrate LFR into a yocto build environment
- Customize LFR layer.conf: The LFR_PACKAGE contains pre-built binaries cross-compiled for different CPU targets. Currently supported is 32-bit ARM with support for 32- and 64-bit Intel and 64-bit ARM coming soon.
- Prepare Build Environment: Sourcing oe-init-build-env prepares the environment for building yocto recipes and images. Adding meta-lfr to the list of layers will result in all recipes being built with Alkemist protections in place.
- Customize LFR local.conf: The binaries contained in the package provided from LFR_PACKAGE in the step 3 cooridinate with the qemuarm MACHINE target.
- Build Yocto Image: This command will build the core-image-minimal image with Alkemist protections. The resulting image can be run using runqemu qemuarm. The bitbake command can be run to build other images, or individual recipes with LFR protection using bitbake <recipe/image>.
- Verify LFR Protection: This shows how to confirm that LFR has been applied to a given binary using the readelf tool from the binutils package. You must have binutils on your system for it to work, but it is commonly available.
How Does Alkemist Work?
Alkemist uses remotely deployable binary runtime application self-protection (RASP) and Moving Target Defense (MTD) methods to immunize organizations from the biggest threat to software today, memory corruption exploits. Significantly reduce risk by eliminating the exploitation of vulnerabilities and precluding exploits from spreading across multiple devices and networks.
Originally born out of a research project for the Advanced Research Projects Agency of the Department of Defense (DARPA), Alkemist is the only automated cyberhardening tool to protect open source, in-house developed code, and third-party binaries while leaving each system functionally identical, but logically unique.
Resources for Yocto Developers
Frequently Asked Questions PDF
Yocto Project and Alkemist Integration: What do you need to know?